Improper Restriction of Excessive Authentication Attempts in Mendix Forgot Password Appstore module and Mendix Forgot Password Appstore module (Mendix 7 compatible)

#VU61234 Improper Restriction of Excessive Authentication Attempts in Mendix Forgot Password Appstore module and Mendix Forgot Password Appstore module (Mendix 7 compatible)

Published: 2022-03-10

Vulnerability identifier: #VU61234

Vulnerability risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26314

CWE-ID: CWE-307

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mendix Forgot Password Appstore module
Other software / Other software solutions
Mendix Forgot Password Appstore module (Mendix 7 compatible)
Other software / Other software solutions

Vendor: Siemens

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to initial passwords are generated in an insecure manner. A remote attacker can perform a brute-force attack and gain valid credentials.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mendix Forgot Password Appstore module: 3.3.0

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens Mendix Forgot Password Appstore module